TeslaWare Ransomware

Nasty ransomware infections are spotted almost every day. TeslaWare ransomare is one of those threats that get on the computer unnoticed but is surely visible once it finished the encryption process. It locks users out of their files and demands a ransom in return. If you do not have your a copy of your files in a separate drive, that means that you are in trouble. Backing up your valuable data is one of the measures to keep yourself on the safe side since cyber criminals do not bother to create decryption tools even though some cases when the decryption keys of ransomware were shared are known to malware researchers and affected users.

Advanced users can try decrypting their files using the decryption key obtained:

Z85tp2sWTW1LQGvT2CTOUgaKHDWNWY===

The key should work on the window displayed by the ransomware, but the odds are that a special decryption software could be necessary to use the key successfully.

The TeslaWare ransomare encrypts multiple files, but it does not lock the screen. There are multiple file types, and this threat is capable of encrypting over 100 file types, including .txt, .mp4, .ppt, .png, .doc, etc. The Tesla threat targets different system directories, including the desktop and common folders of the operating system such as Pictures, Documents, Downloads, Music, Videos, Templates, Hystory, and, most important, a whole range of range of disk partitions, whose names usually consist of a single capitalized letter. Virtually, all the system is scanned for certain files targeted by attackers.

The encrypted files remain on the computer and can be identified as affected by the extension .Yugo added after the original extension. Some older strains of ransomware are known to lock the screen in addition to all the havoc caused, but the TeslaWare ransomware is not powered to disable access to different directories. This is seemingly done so that a victim could find and open a .txt file containing information about the issue. On top of that, the TesleWare ransomware launches its ransom window at every start-up of the system. The point of execution of this threat has been found in the Windows Registry, and can be accessed by following this path:

This registry key should be edited as part of the infection’s component when removing the threat manually.

According to the TeslaWare warning, your data is encrypted with the AES-128 encryption algorithm, and you are supposed to pay a ransom fee in 7 days. After the deadline, the data is claimed to be lost for good. Not surprisingly, the attackers want the cryptocurrency Bitcoin, which is used without any centralized bank and without a possibility to identify its users. The present strain of ransomware is seemingly targeted at the Eurozone countries, mainly Germany, because of the Euro currency and the link to a German wikipedia page about Bitcoin. The ransom window displayed by the infection shows that the attackers want €300 in bitcoins, whereas the text in the notepad file gives the sum of 0.4250 BTC. Moreover, two different digital wallet addresses are given, which may be done purposely or by mistake. In general, the malicious infection seems to be lacking some finishing touches, which suggests that this variant might be a test sample. Nevertheless, it is crucial to remove TeslaWare and take preventative measures so as not to get in the same situation again.

Researchers have also found that the Tesla Trojan is also capable of searching for and killing processes named Taskmgr, ProcessHacker, and ProcessExplorer. The latter one refers to a software program that helps a user to handle DLL file-related issues.

How to remove TeslaWare Ransomware

Press Win+R and type in regedit.

Click OK.

Remove the MicrosoftAudioDriver value from the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MicrosoftAudioDriver.

Close Registry Editor and press Win+R.

Type in %Temp% and press Enter.

Delete questionable files.

Also check the folders Downloads and Desktop for undesirable files, including the .txt file containing the ransom message.